13 Tips for Cloud Security

for cloud security

Protecting your mission-critical data and applications in the cloud can best be accomplished through a joint effort between your organization and your cloud services provider (CSP).

These 13 tips can help.

13 tips

Know

Classify the data you will be storing and/or

processing in the cloud. How sensitive is it?

Does it have value as intellectual property?

Is it subject to privacy restrictions such as

those specified by HIPAA or Safe Harbor or

to standards such as PCI DSS? Then, define

the security controls that are appropriate to

protect that information. Make sure that the

CSP has the appropriate logical and physical

controls ─ and that they are effective.

Know Your Data1

1“Classify the data you will be storing and/or processing in the cloud.”

Create a transparent process that controls who

can see the information you are storing and/

or processing in the cloud, and then create a

“self-destruct” policy for sensitive information

that does not need to live indefinitely outside

of the confines of your organization.

Monitor

Monitor Data Usage2

“Create a transparentprocess that controls who can see information you are storing...”

2

SetConsider two-factor or multi-factor authentication

for all information that needs to be restricted. In

addition, consider a tier structure for your access

policies based on the level of trust you have for

each person who has access to your data. Using

the correct permissions and the rule of the "least

privilege" are among the best protections against

accidental or malicious detection. This applies to

your CSP too, as well as any companies that you

may work with that could potentially have access

to your data.

“Consider two-factor or multi-factor authentication for all information that needs to be restricted.”

Set TrustLevels3

3

Strengthen your risk-based authentication

techniques and issue security tokens to

employees. You’ll also want to make sure

your CSP employs identity access and

authentication tools that are equal or better

then what you have in place. For added

security, supplement authentication practices

with safeguards such as device or IP tracking

and behavioral profiling.

“Strengthen your risk-based authentication techniques and issue security tokens to employees.”

4

Beef up

Beef up AuthenticationTechniques4

LogPut comprehensive logging and reporting in

place. Logging is critical for incident response

and forensics – and the reports and findings

after the incident are going to depend heavily

on your logging infrastructure. Also, coordinate

with your CSP and make sure performance

metrics for reporting and auditing are included

in your service agreement.

“Also, coordinate with your CSP and make sure performance metrics for reporting and auditing are included in your service agreement.”

5

Log andReport5

Use

Make sure that your “golden image” virtual

machines and VM templates are hardened

and clean. This can be done with initial system

hardening when you create the images. Take

advantage of technologies that enable you

to update the images offline with the latest

service and security updates.

“Take advantage of technologies that enable you to update the images offline with the latest service and security updates.”

Use Infrastructure Hardening6

6

Employ

Protect sensitive data wherever it might

be ─ in motion, at rest or in use. Use whole

disk encryption, which ensures that all

data on the disk ─ not just user data files ─

are encrypted. This can also help prevent

offline attacks. All communications to host

operating systems and virtual machines

should also be encrypted.

“All communications to host operating systems and virtual machines should also be encrypted.”

Employ End-to-end Encryption7

7

Hold

Maintain an optimal security posture by

holding the encryption keys. Make sure to

retain ownership of your data by retaining

ownership of the encryption keys ─ and not

giving them to your CSP.

“Make sure to retain ownership of your data by retaining ownership of the encryption keys — and not giving them to your CSP.”

Hold Your Encryption Keys8

8

Develop

How you respond to threats and adverse

events – and how rapid that response is – is an

important component of security. Document

responses to events and implement programs

to facilitate those responses. Ask your CSP

to provide you with documentation of its

response plan as well.

“Document responses to events and implement programs to facilitate those responses.”

Develop a Plan and Educate Your Response Team9

9

Make

Perform data integrity checks, such as

Message Integrity Codes (parity, CRC),

Message Authentication Codes (MD5/

SHA) or Hashed Message Authentication

Codes (HMACs) to detect data integrity

compromise. If you detect data compromise,

restore the data from backup or from a

previous object version.

“If you detect data compromise, restore the data from backup or from a previous object version.”

Make Frequent Checks10

10

LeveraConsider employing managed security

solutions as an extra layer of protection.

Security, delivered as a service, allows you

to take advantage of leading-edge security

technologies and specialized security expertise

with no upfront capital investment.

“Consider employing managed security solutions as an extra layer of protection.”

Leverage Security-as-a-Service Solutions11

11

IsolateMake sure your CSP ensures isolation of

access so that software, data and services

can be safely partitioned within the cloud

and that tenants sharing physical facilities

cannot tap into their neighbors’ proprietary

information and applications.

“..tenants sharing physical facilities cannot tap into their neighbors’ proprietary information and applications.”

Isolate CSPAccess12

12

InsistWhether you are working with a CSP for the

first time or have had a long-term business

relationship, require maximum transparency

into your CSP’s operations. CSPs should

be able to provide log files, reports and

applications that allow IT administrators to

view data traversing their virtual networks

and events within the cloud in near real time.

“...require maximum transparency into your CSP’s operations.”

Insist Upon CSPTransparency13

11

To learn more about cloud security, including managed security services, contact Peak 10 at 866-473-2510 or email: [email protected].